Re: [13] RFR: 8020637: Permissions.readObject doesn't enforce proper Class to PermissionCollection mappings

Fri, 05 Apr 2019 10:30:18 -0700

Updated webrev: http://cr.openjdk.java.net/~mullan/webrevs/8020637/webrev.01/
The serialized streams are now encoded within the test code itself. I also added a test case for an PermissionsHash object with invalid mappings. 


I also modified the fix. Instead of trying to fix the mappings in the 
encoded serialized form, readObject simply throws an 
InvalidObjectException. I believe that is the more correct behavior, as 
the deserialized form no longer adheres to the invariants of the 
serialized structures of the corresponding classes.


Thanks,
Sean

On 4/2/19 10:03 AM, Weijun Wang wrote:

+1.

--Max


On Apr 2, 2019, at 9:55 PM, Roger Riggs <roger.ri...@oracle.com> wrote:

Hi Sean,

Typically, fixed serialization streams are encoded in the source
as byte arrays. That keeps binary content out of the repo
and provides a place for the comments.

Roger


On 04/02/2019 09:50 AM, Sean Mullan wrote:

On 4/2/19 9:44 AM, Weijun Wang wrote:




On Apr 2, 2019, at 9:33 PM, Sean Mullan <sean.mul...@oracle.com> wrote:

On 4/1/19 11:12 PM, Weijun Wang wrote:

I can understand the change in Permissions, but is there any difference in 
PermissionsHash?


The key and value in the PermissionsHash map is always the same object. This 
fix ensures that is respected, otherwise after deserialization you could have a 
SocketPermission mapped to a FilePermission, for example. Would it be better if 
I added a test for that?


Yes, you are right. I thought the old code can also enforce this relation.

Now for the test, perms.ser is binary and you haven't described how it is 
generated.


I just hacked Permissions.writeObject to switch the mappings. That was a lot 
easier than trying to write my own serialization code. I will add some comments 
in the test explaining how I did that and what is in perms.ser.

--Sean




Thanks,
Max



--Sean


--Max

On Apr 2, 2019, at 1:10 AM, Sean Mullan <sean.mul...@oracle.com> wrote:

It is currently possible to change the mappings in a serialized 
java.security.Permissions object such that they no longer map correctly, and 
Permissions.readObject won't detect this.

This change makes sure that for a deserialized Permissions object, the 
permissions are mapped correctly to the class that they belong to. It does this 
by calling add() again for each permission in the deserialized Permissions 
object. The same technique was applied to a serialized PermissionsHash object 
which is used to store Permissions that don't implement their own 
PermissionCollection.

bug: https://bugs.openjdk.java.net/browse/JDK-8020637
webrev: http://cr.openjdk.java.net/~mullan/webrevs/8020637/webrev.00/

Thanks,
Sean





























					Reply via email to